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Abstract 

The complex system has the features of high complexity of 
behaviour process, diversity of operational environment and 
multi-factor coupling of human, equipment and 
environment, which brings huge challenge to the safety 
assessment. Through analysing the domestic and foreign 
accident-causing theories and accident modelling methods, 
the current study result and their deficiencies are revealed, 
and on the basis of the accident characteristic analysis of 
behaviour process of complex system, multi-view based 
behaviour process accident modelling method for complex 
system is proposed. Through modelling analysis, the factors 
causing the accident, combination of these factors and 
evolution path of accident are analysed and then the safety 
state space of complex system to realize the precaution and 
control of accident is established. Finally, through case study, 
the applicability of this method is verified. 
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Preface 

As system becomes increasingly complex, the 
occurrence of system accident and the accident process 
show strong multi-factor coupling characteristics. The 
slight change of initial condition and different 
combinations of various factors will lead to different 
behaviours. Human behaviours in the behaviour 
process naturally will stimulate different combination 
features and bring about complicated system accident 
evolution processes through various forms of coupling 
of mutual interaction, mutual supplementation and 
mutual restriction among operational environment, 
hardware system and software system in the field of 
material, energy and information. 


Regarding exploring the law of accident occurrence, 
there are many domestic and foreign accident-causing 
theories, among them he STAMP-system attribution 
model proposed by Nancy Leveson of MIT is a typical 
representative of the final stage of accident modelling 
development. People all believe that during the 
evolution of accident, the fixed sequence of accidents 
does not exist. Within certain range of space-time, 
there exists interactive-factor such as human, 
equipment and environment, there will be accident. 
However, the theory put forward by Nancy covers the 
aspects of management and humanity, without giving 
a specific and strongly practicable modelling and 
analysis method. 

Traditional safety analysis method depends too much 
on personal experience; methods such as FTA and ETA 
analyse the known logical relationship between cause 
and effect of accident process. In the respect of 
methods are used to safety simulation, comprehensive 
researches have been carried out home and abroad, 
particular in the field of human factors and human 
decision-making models and human recognition 
process models have been provided. With regard to 
simulation analysis of accident process, one hand the 
Petri net and finite state equipment are applied to the 
analyses of flight process of commercial aircraft and 
contingency plan as a quantitative analysis conducted 
on the basis of a known accident processes; on the 
other hand, the effects of hardware failure modes on 
the safety of equipment are analyzed at the mechanism 
angle and the model-based safety analysis method is 
proposed. 

Currently, there are few studies which are preceded 
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from studying the complex coupling relations of 
multiple factors, and can provide modelling method 
for clearly and completely reasoning the evolution 
process of accident. In the view of the situation based 
upon multi-view and complex system behaviour 
process, an accident modelling method is proposed for 
accident causing factors, combination for these factors 
and accident evolution path, and under the effects of 
certain factors and the combination of factors, whether 
the system will have an accident, and then establishing 
the safe state space of complex system. Through case 
study, the applicability of this method is verified. 

Accident Evolution Process of Complex 
System 

During the operation of systems, the occurrence and 
development of accident has a close relation, with the 
hierarchical structure, sequential logic relationship 
among activities and system state of system behaviour 
process. Failure cause is reflected in the components of 
system and its state, that is, unsafe human behaviour, 
unsafe substance condition, unsafe environment state, 
even management failure and their interrelations and 
interactions. Due to human error, equipment failure 
and environment change, the output will change 
correspondingly. Operator will adjust system state 
through output feedback, and the equipment will have 
certain self-adaptive function as well. When system 
state goes beyond safety limit, system will then be in a 
dangerous state, i.e. without effective control, there 
will be an accident. Complex system accident has the 
following features: 

Dynamic 

From safety to danger, from danger to accident, system 


state is in a dynamic changing process, changing with 
the continuously interacting among human, 
equipment and environment. 

Process-oriented 

From occurrence and development to accident, the 
process shows characteristics of time delay of 
development and secondary effect of events before 
accident occurrence. 

Uncertain 

All the elements affecting system safety, such as 
human operation, equipment failure and environment 
change are uncertain, and make the evolution of the 
system state form being in safe state to being accident 
state. 

Multi-factor coupling 

During the operation of system, the human, equipment 
and environment are in the same loop, and due to 
human error, equipment failure or environment 
change, the output will be changed correspondingly. 
So the occurrence of accident is closely related to the 
coupling characteristic of subsystem failures in the 
system. 

The state space of the evolution of system state during 
operation can be divided into safe space, hazard state 
space and accident state space (the latter two can be 
jointly called unsafe state space). State margin is the 
dividing line between safe and unsafe state space. 
Safety margin is also the watershed of safety control. 
Specifying the evolution path of system accident and 
establishing system safety margin are of significant 
importance. Accident evolution process is shown in 
figure 1. 
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Multi-view Based Accident Modeling Method 
for the Behavior Process of Complex System 

Multi-view Based Accident Rehearsal Modelling 
Process 

1) Connotation of Accident Rehearsal 

Definition of accident rehearsal: is defined as 
through the description of coupling relation and 
interaction of various factors such as human, 
equipment and environment involved in system 
operation, and the simulation of system operation, 
starting with initial cause which affects safety of 
system operation, and rehearse under the effect of 
certain factors and their combination, whether the 
system will have an accident, on the basis of which 
establish complex system safety state space. 

2) Connotation of Multi-view 

During modelling and simulation, multi-view 
includes three categories: 

a) Event view 

Event view aims at complex system structure and 
functional hierarchy, performs top-down 
decomposition and abstract description of 
hierarchy between events (activities) which form 
behaviour process and their subordinating 
relationship; then on such basis, specify various 
factors involved in each activity of behaviour 
process (such as pilot, airplane, environment, etc.), 
as well as parameter reference and constraint 
criterion of accident modelling and simulation on 
the basis of the property of various factors and their 
range, such as delay time by pilot, operation type; 
speed, altitude and pitch angle of airplane; 
environment type and so on. 

b) State View 

State view describes the states of human, 
equipment and environment possibly existing in 
activity unit of behaviour process, and the trigger 
condition of state transition. For example, the 
pilot's state can be normal operation or operation 
error, and environment effect and equipment 
failure could trigger the operational error. 

c) Process View 

Process view describes temporal logic association 
among events (activities) which form the flow, and 
flow process. Temporal logic association is driven 
by activities (for example, an activity is initiated 
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when the corresponding activity arrives). Therefore, 
the basic unit of process view is activity. In terms of 
expression form, temporal logic view combines 
activity view and all the activities within state view 
to describe the operating mechanism of flow, and 
establish the dynamic description of process. 

3) Multi-views based Accident Rehearsal Process 

Above all, accident rehearsal process on the basis of 
multi-view conduct in-depth analysis of system and 
system task, including system function, system 
hierarchy, system operating principle, system 
failure, description of behaviour process, factors 
affecting safety involved in stages and behavior 
process and the relation among factors. 

On that basis, centering on process chart, beginning 
with the starting point of object process (for 
example, begin to describe with interception of 
glide path when describing airplane approach), the 
selection of activity path during the process 
depends on system real-time status in state view. 
Meanwhile, different human operations, 
environment, equipment types and conditions 
determined by different activities also have 
different effects on system state. Through iterative 
interaction between process view and state view, 
the evolution process of system behaviour is 
simulated. At any point of time of evolution 
process, through abnormal deviation of human, 
equipment and environment caused by state view 
(such as personnel error, equipment failure, 
accident environment, etc.) describe modelling, 
inject deviation, rehearse evolution of system state 
under the effect of abnormal deviation of human, 
equipment and environment. According to 
constraint criterion determined by activity view, 
decide whether there is an accident. 

Multi-view based Accident rehearsal modelling 
process is shown in figure 2. 

Event View Based Process Hierarchy Model 

Complex behaviour process is divided into object 
dimension and process dimension. The evolution of 
system state in the process is the process of the object 
dimension coupling in the process dimension. From 
two angles of object dimension and process dimension, 
in activity view, perform top-down decomposition and 
abstract description of hierarchy between events 
(activities) which form behaviour process and their 
affiliation, as shown in figure 3. 
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FIG.2 MULTI- VIEW BASED MODELING PROCESS 
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FIG. 3 SCHEMATIC DIAGRAM OF EVENT VIEW 


The formal description of behaviour process: 

P =< Od ’ Pd > 

Where, O d represents objection dimension, including 
human (operator, designer etc.), equipment (hardware, 
software etc.) and environment (weather condition, 
geographical condition etc.). O d = {S h ,S e ,S en ,C oup } ; 

S h represents personnel state; S e represents 
equipment state; S en represents environment state; 
C oup represents the coupling of human, equipment and 
environment. 

P d represents process dimension, P d = {A I R) . 
A - {a x ,a 2 ,...,a n } represents collection of all the 
activities (basic behaviour unit) in process; 
R - R {a x , a 2 , . . . , a n } represents all the relationships 
among activities. 


Considering overall task as object, features of 
behaviour stage as basis, the breakdown of behaviour 
process is performed. The event view can be 
successively divided into several levels, i.e. from its 
top level of sub process, and then break down to its 
lowest level of basic behaviour unit. In order to differ 
from information transfer activity between personnel, 
the event (activity) here mainly means the common 
name of all the activities performed by personnel to 
change system state directly. 

The principle of process breakdown is shown as 
follows: 

• Limitation. Process cannot be decomposed without 
limitation. Either decomposed into sub-process or 
basic activity, there is always a principle on degree, 
that is, either the activity being decomposed or 
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sub-process must be meaningful. 

• Determinacy. When decomposing behaviour 
process, the basic unit we have obtained must have 
determined input, output (result) and 
corresponding operation. 

• Induction. If input or output of certain process is 
not well-known, we can consider it as a series of 
activities mutually related, and bring it into the 
previous process, rather than a single process. 

Decompose all the factors such as personnel, 
equipment, environment involved in behaviour 
process. Combine features of all the factors to 
decompose involved personnel above basic behaviour 
unit, such as operator, maintainer and manager; 
involved equipments during operation, and their state, 
such as landing gear and flap of airplane; together 
with environment, such as wind shear, convective, 
heavy fog and rain. Finally, fill analysis result into 
table 1 to support multi-factor coupling analysis. 


TABLE 1 EVENT-FACTOR ANALYSIS 


Layer 

^^^^factor 

Basic 

personnel 

equipment 

environment 






As for each feature of human, equipment and 
environment which are involved in system, it is 
necessary to specify safety key parameters C s 
determined by system itself, such as reaction time of 
personnel, diffusion range and time of the equipment 
on fire, radiation range of the radioactive equipment. 

Establish safety key parameter setC^ = {C sl ,C s29 ... 9 C sn } , 
and fill it into table 2: 


TABLE 2 KEY PARAMETER CONSTRAINT LIST 


— — Parameters 
type — 

Cj 

C „ 2 


c sn 

Type of 
personnel 

operator 





communicator 










Type of 
equipment 

equipment 1 





equipment 2 










Type of 
environment 

environment 1 





environment 2 











State View Based System State Modeling 

Taking the basic activity unit of system operation 
process analysis output as entry point, state view 
combines conclusion of single factor analysis on the 
basis of each basic activity unit, then deduces system 
output state determined by input multi-factor state as 


well as multi-factor coupling effect. The output state 
here mainly means state of the equipment and 
personnel, because whether the system is safe or not is 
generally expressed by state of the equipment and 
personnel. Define state in each basic activity unit A i 
as a five factor group S { = {O di ,X i ,Y i ,F i ,Q i } . 



T, 

\ 

r 

F, 


o di 

V 




FIG. 4 A FIVE-FACTOR GROUP 


Where O di represents system sate in the i th basic 
activity, for example, the flight is normal, while with a 
low altitude. 


X t Represents event input when on activity A • , that is 
state variables output of the previous activity unit 
system. 

Y i Represents the output of basic activity unit, namely 
the physical quantity system needs to observe, such as 
altitude and speed of an airplane. 

Q { Represents the trigger event in basic activity unit, 
which effects system state, abnormal environment 
does damage to equipment and human error. 


TABLE 3 COUPLING DEVIATION 


Property 

Coupling Deviation Description 

function 

Nothing occurs 

Another action occurs or partially repeats 

partial action only is performed 

wrong action is performed 

control 

Controlling action does not occur 

Unexpected action occurs 

Action is unfinished 

wrong action is performed 

time 

Unexpected command 

Action occurs before set time 

Action occurs after set time 

No action 

information 

No communication 

Confusion occurs as other voice appears 
accompanied with command 

Receive only partial command (possibly due 
to noise) 

Send wrong command or misunderstood 

Send more commands than regulated 

spatial position 

No space 

Space relatively large 

Space relatively small 


In Q=< F,P m ,P l9 P p ,t > , F represents factors, 

F =< F h ,F en ,F eq > including human factor F h 
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(including operator, manager, and monitor), 
environment factor F en (low visibility, crosswind) 
and equipment factor F eq . P m represents abnormal 

deviation type of human, equipment and environment 
factors. Human, equipment and environment are 
mainly coupled in five aspects (spatial position, time, 
function, information and control) and then affect the 
change of system state, shown in table 3. 

P t represents deviation range, such as the range of 
operation delay (deviation) [t l9 t z ] , which shows 
operation delay is between and t 2 . P p represents 
probability of occurrence. 

F t represents state transition function, that 
is Y = F x (O dl , 0) , composes execution condition of state 
transition which contains mainly two kinds of method: 

• Production method refers to a rule like IF A THEN 
B, of which A is called as the left part or front part 
of the production, while B is called the right part 
or back part. The reasoning of production rule is 
based upon expert knowledge and visual 
experience. 

• Analytic method. When input and output can be 
described by determined function relation, analytic 
method can be applied to directly describe logic 
relation among inner system (coupling relation 
among each sub-system), that is, to perform 
multi-factor coupling analysis through 
establishment of mathematic model and 
mechanical model. 

t represents the time point when deviation occurs 
during the process. 

Process View Based Process Logic Modelling 

On the basis of process breakdown, apply process 
view method to describe the temporal logic association 
among events (activities) which form the circulation, as 
well as circulating process. Interactive relationship 
among activities R = R{a^a 2 ,..., a n } , R=<P,T > , 
P represents information transition between activities, 
T represents control relation between activities. 

Define activity A as a six-factor 
group: A =< V, S, X , Y, T,C > , where 

N represents activity name. 

S represents activity state, S= {Normal, Abnormal}, of 
which normal states include: waiting, preparation, 
operation, cancel, complete. While abnormal states 
include: " abnormal start" and "abnormal stop". 
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X, Y represents information flow transition between 
activities, X represents information input while Y 
represents information output; 

T represents control flow relations among activities, 
typical control flow structures are shown in figure 5. 
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FIG. 5 CONTROL RELATIONS 

1) Single cause and single effect mode: one cause and 
one reason mode refers to the secondary relationship 
between the simplest failures, that is one premise event 
lead to one effect event; 

2) Multi-cause and single effect mode: multi-causes 
and one effect is to express the relationship of premise 
events with the relationship of "and", that is, one effect 
event is triggered by several premise events, and only 
as these premise events occur can lead to effect event 

3) Competition mode: competition mode is equivalent 
to express the relationship of premise events with the 
relationship of "or", its nature lies in one effect event is 
triggered by one of the several premise events, 
therefore the relationship between premise events is 
"degraded competition"; 

4) Single reason and multi-effect mode: one reason and 
multi-effects mode is used to describe the phenomenon 
of "one premise event, several effect events"; 

5) Selective mode: one event can lead to several 
follow-up vents, but during each system operation, as 
long as one of these is caused, we can select system 
state; 

6) Cyclical feedback mode: to describe necessarily 
repeated activity under certain condition. 

C represents trigger mechanism of activity transition, 
on the one hand according to behavior process 
requirement; on the other hand, depending on state of 
inner activity system, especially when different activity 
route has to be selected due to different instantaneous 
states, entity state input is necessary then. 
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Accident Modeling and Simulation of 
Carrier-Based Aircraft Landing Process 

This paper targets at the landing process of a foreign 
carrier-based aircraft. It considers three factors that 
influence landing: vertical height variation of the 
aircraft carrier 3s before landing; human error due to 
environment (such as at night), and the time when 
human error occurs. 

Behavior Process Description 

After having intercepted the glide path entrance, the 
pilot lowers the carrier aircraft down along the glide 
path with the aid of Fresnel Lens Optical Landing 
System, FLOLS, and keeps flight path angle at about 
-3.5°. FLOLS can send 5 layers of beams with different 
colors which parallel to the glide path, the orange 
beam in middle indicates ideal track. If the pilot sees 
orange beam, it means the aircraft is on the ideal track. 
Then, the carrier aircraft is under the condition where 
there exists complex air environment, besides natural 
wind field; there is turbulent flow which is aroused by 
movement of aircraft carrier, of which the most 
significant one is wake flow called "cocktail". 
Moreover, because of constant movement of the 
aircraft carrier deck, as there is a big movement, the 
tail can be raised up by 2m or so, which is possible to 
cause large landing deviation. These external factors 
bring about difficulty for the pilot to maintain gliding 
track and accurate landing. At this time, the landing 
signal officer on the aircraft carrier will various factors 
of deck movement, aircraft feature and pilot skills, and 



FIG. 6 EVENT VIEW BASED MODELING OF LANDING PROCESS 


sends command to the pilot on the radio to require 
him to adjust flight state or wave off. 

Multi-view Based Process Modelling 

1) Event View Based Modelling 

The landing process of carrier aircraft is complex, 
involving many factors which includes equipment: 
such as aircraft, arrester wire, Fresnel Lens Optical 
landing guidance system; personnel: pilot, landing 
command officer (LSO); environment: cross wind, 
rain, heavy fog and cocktail flow. The hierarchy 
modelling of landing process is shown as figure 6. 
As table 4 shows the landing location of carrier 
aircraft is constraint criterion of safety. 

2) State View Based Modelling 

During the landing of aircraft, safe state includes: 
enter landing attitude, appropriate altitude, 
successful landing, successful wave off; dangerous 
state includes: low altitude, high altitude, enter 
wave off state; accident state: crash the carrier into 
the sea, out of the runaway. 

The trigger events Q x affect the aircraft state, 
which includes personnel and environment. 
Specific value is shown table 5: 

The function of aircraft state transition K is 
aircraft motion model. When the carrier aircraft is 
gliding into the carrier, its speed and track angle 
are essentially unchanged, thus aircraft motion 
model can apply perturbation linear equation: 


TABLE 4 ACCEPTABLE RANGE OF LANDING LOCATION DEVIATION (m) 


Deviation type 

Ideal value 

Acceptable value 

Horizontal deviation 

-6.1 — 6.1 

-12.2-12.2 

Vertical deviation 

-0.76-1.52 

-1.52-3.05 

Lateral deviation 

-1.52-1.52 

-3.05-3.05 


TABLE 5 TRIGGER EVENTS 



F 

Pm 

Pi 

t 

Qi 

pilot 

Perform 
wrong action 

[-2,2] 

[0, 8s] 

q 2 

deck 

pitching 

[-2.3, 2.3] 

3s before 
landing 
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x = Ax + B^ + Ew I 
y = Cx + D£ J 

Where State vector x = {v,a,3,co z ,h ) T ; control vector 
u = (S z , S p ) T ; output vector y = (3, n y , v, a , , /z) . 

Of which v represents disturbance quantity of 
carrier aircraft speed, m/s; a represents 
disturbance angle of attack, rad; 3 represents 
disturbance pitch angle rad; co z represents 
disturbance pitch angle rate rad/s; h represents 
disturbance height variation, m; 8 Z represents 
throttle lever deflection angle, rad; 6 represents 
disturbance track angle, rad; n v represents 

disturbance vertical overload, mis 1 . 

Besides Kinematics model of the aircraft, 
simulation involves other sub-model: 

a) Pilot model. Apply variant strategy pilot model: 
if the carrier aircraft is affected only by small 
disturbance of wake flow, the pilot's operation of 
carrier aircraft is a constant tracking action; if the 
pilot is required to significantly change flight state, 
he will apply discrete control strategy. 

b) Aircraft carrier air wake model. Apply marine 
atmosphere disturbance model defined in 
MIL-F-8785C, the speed components of which 
include free atmospheric turbulence component, 
steady component of aircraft carrier atmospheric 
wake flow, period component and random 
component. 

c) Aircraft Carrier Motion Model. Apply 
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engineered motion model that is simulate six 
-degree of freedom motion through harmonic form. 

3) Process View Based Modelling 

Based upon the description and analysis of the 
landing process of carrier aircraft, establish landing 
process view and specify the logic relationship of 
input and output between key activities. As shown 
in figure 7. 

Result of Accident Modelling Simulation 

This paper develops safety simulation of Carrier-based 
Aircraft landing process. Through simulation, we can 
rehearsal when these factors are combined with 
different values, whether Carrier-based Aircraft is able 
to land safely, then establish safety constraint model 
shown in figure 8. The space contained in the 
constraint figure is safe state space for safety, which 
composes dynamic safety constraint. 



The time when vertical height variation 

human error happns of (he carrier aircraft 

FIG. 8 SAFETY CONSTRAINT DIAGRAM 



accident 


FIG. 7 PROCESS VIEW OF CARRIER-BASED AIRCRAFT 
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Conclusion 

The accident modeling method proposed in this paper 
emphasizes from multi-view angle to analyze the 
accident. Through event view and state view clearly 
interprets hierarchy and function relation in complex 
system process, temporal and logic relation among 
each activity, as well as coupling relation of human, 
equipment and environment involved in each activity. 
On this basis, through activity view, restore complex 
system process in order to develop safety analysis. 

The multi-view based accident modeling for complex 
system provided by this paper aims for analyzing 
accident causing factors, combination for these factors 
and under the effects of certain factors and the 
combination of factors, whether the system will have 
an accident. Then we can establish the safe state space 
of complex system. Finally, through case study, the 
applicability of this method is verified. 
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